The software supply chain was always vulnerable—JP Morgan just said it out loud

When JP Morgan’s Chief Information Security Officer Patrick Opet sounded the alarm bells this week in corporate America with an open letter to the industry to prioritize security in the software supply chain, few people heard something they’ve never heard before. What was so striking about the news was that it came from the largest US bank (by assets) and the largest bank in the world (by market capitalization)—and financial institutions are not generally known for their bold, full-throated statements.

Moreover, Opet’s letter highlights the particular risk for more regulated and sensitive sectors such as finance, where the cost of failure can reach trillions of dollars. The IBM 2024 Cost of a Data Breach report found that the average global cost of a single breach in the financial industry was USD 6.08 million, second only to the healthcare breach costs at USD 9.77 million.

“Convenience can no longer outpace control,” Opet said in his LinkedIn post, and so called on third-party software providers, security leaders and the broader tech community to look more closely at the “single points of failure” that can lead to “potentially catastrophic systemwide consequences.”

This “convenience” can look like a seamlessly integrated system of data and processes that update without lag or manual interaction, which is unarguably a goal for businesses. However, as Nataraj Nagaratnam, IBM’s CTO for AI Security and Infrastructure, warns, “As AI agents popularize more autonomous use of AI, for example, it’s more important than ever to ensure enterprises’ security measures match the risk that comes with these innovations.”

Nagaratnam talked to IBM Think from the floor of the RSA event in San Francisco, where he was joined by 40,000 security professionals at one of the largest cybersecurity events of the year. Opet’s letter was the topic du jour, generating debate—and an acknowledgement that this was a call to arms for creating standards across the industry and a way of measuring adherence to them.

In these early days, the jury is out on exactly what these standards and measures should be. But the stakes couldn’t be higher. One example: the ransomware attack on software vendor CDK Global, which provides software services to the auto industry, cost car dealerships more than USD 1 billion collectively, according to an estimate from Anderson Economic Group, an East Lansing, MI, consulting firm. As Opet put it, “The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system.”

What can we immediately take away from this? IBM’s experts heard three calls to action from Opet’s letter and the surrounding debate:

1. Secure by design: Security can’t be an afterthought. “Providers must urgently reprioritize security, placing it equal to or above launching new products,” wrote Opet. Mark Hughes, IBM’s Global Managing Partner for Cybersecurity Services, presaged that sentiment in a recent cybersecurity report: “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.” In a LinkedIn post in response to Opet’s letter, Hughes urges companies to address gaps in technology and data governance “before they become entry points for risk.”
2. Standardized controls: SaaS and other third-party vendors should adopt and inherit standardized controls, says IBM’s Dinesh Nagarajan, a Partner at IBM Consulting for Data & AI, Quantum Safe and Application Security Services. But it’s not enough to come up with a standard way of measuring software vendors, he adds, it’s essential to monitor “whether they are complying with the required mandates or controls.” IBM has helped develop industry-wide controls for cloud, as well as worked with industry bodies such as the Cloud Security Alliance to develop cloud controls for financial institutions in particular. Building on that work, IBM extended this approach for the use of gen AI by financial institutions, co-authored with ten banks from several continents.
3. Governance across the supply chain: SaaS providers and enterprises should take a holistic approach to proactively govern and manage their security and continuously monitor their compliance, says Nagaratnam. One way to do so is for organizations to develop and run their own cybersecurity playbooks—seeking to identify exposures, assess risks and mitigate incident impacts. These incident response playbooks also need to account for who is responsible for specific actions, such as which party is accountable (and potentially liable) for securing a generative AI solution offered by a third party. The reliance on third-party components requires stringent oversight and control, and the understanding of a shared responsibility such that vendors are accountable for securing the entire software stack, not just their portion.

New industry tools are also appearing nearly every week to help companies with governance and compliance. Just yesterday, for example, Credo AI, an AI governance platform, and IBM collaborated to launch the watsonx.governance Compliance Accelerator, which helps AI use case owners and compliance officers comply with various regulations in a quicker, more automated fashion.

Making individual business leaders accountable for the tech they use would go a long way to improve security, says IBM’s Nagarajan. “When you make business leaders accountable for the tech they use, how it is managed, for what purpose, how it’s kept secure, that will automatically improve security.”